CVE-2022-32549

Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files.

CVSS v3 5.3 MEDIUM
CVSS v2.0 5.0 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://lists.apache.org/thread/7z6h3806mwcov5kx6l96pq839sn0po1v	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:sling_api::::::::
	cpe:2.3:a:apache:sling_commons_log::::::::

History

No history.

Information

Published : 2022-06-22 15:15

Updated : 2024-02-28 19:09

NVD link : CVE-2022-32549

Mitre link : CVE-2022-32549

CVE.ORG link : CVE-2022-32549

JSON object : View

Products Affected

apache

sling_commons_log
sling_api

CWE

CWE-116

Improper Encoding or Escaping of Output

CWE-117

Improper Output Neutralization for Logs

{"id": "CVE-2022-32549", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2022-06-22T15:15:08.407", "references": [{"url": "https://lists.apache.org/thread/7z6h3806mwcov5kx6l96pq839sn0po1v", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-116"}]}, {"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-117"}]}], "descriptions": [{"lang": "en", "value": "Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files."}, {"lang": "es", "value": "Apache Sling Commons Log versiones anteriores a 5.4.0 incluy\u00e9ndola y Apache Sling API versiones anteriores a 2.25.0 incluy\u00e9ndola, son vulnerables a una inyecci\u00f3n de registros. La capacidad de falsificar registros puede permitir a un atacante cubrir sus huellas al inyectar registros falsos y corrompiendo potencialmente los archivos de registro"}], "lastModified": "2022-06-29T16:26:28.237", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:sling_api:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3DE53A5F-C5AF-4BC5-8E11-25974893ED3F", "versionEndIncluding": "2.25.0"}, {"criteria": "cpe:2.3:a:apache:sling_commons_log:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "292B4F19-0D8F-4F97-918E-9A81CF040B6D", "versionEndIncluding": "5.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}